From 94b9448664b075a7b8088a4e701429413e052e56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A5rd=20Ove=20Hoel?= Date: Wed, 31 Jul 2024 15:30:36 +0200 Subject: [PATCH 1/2] added grafana alloy to default_deny and app netpol --- .../namespace/default_deny_network_policy.go | 26 +++++++++++++++++++ .../networking/network_policy.go | 24 +++++++++++++++++ .../application-istio-assert.yaml | 10 +++++++ .../application-simple-assert.yaml | 10 +++++++ tests/namespace/default-deny/assert.yaml | 7 +++++ 5 files changed, 77 insertions(+) diff --git a/controllers/namespace/default_deny_network_policy.go b/controllers/namespace/default_deny_network_policy.go index bc373bbf..24e05f74 100644 --- a/controllers/namespace/default_deny_network_policy.go +++ b/controllers/namespace/default_deny_network_policy.go @@ -113,6 +113,32 @@ func (r *NamespaceReconciler) reconcileDefaultDenyNetworkPolicy(ctx context.Cont }, }, }, + // Egress rule for grafana-alloy + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"kubernetes.io/metadata.name": "grafana-alloy"}, + }, + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app.kubernetes.io/instance": "alloy", + "app.kubernetes.io/name": "alloy", + }, + }, + }, + }, + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: util.PointTo(corev1.ProtocolTCP), + Port: util.PointTo(intstr.FromInt(4317)), + }, + { + Protocol: util.PointTo(corev1.ProtocolTCP), + Port: util.PointTo(intstr.FromInt(4318)), + }, + }, + }, }, } diff --git a/pkg/resourcegenerator/networking/network_policy.go b/pkg/resourcegenerator/networking/network_policy.go index 4a879b71..263c0ca4 100644 --- a/pkg/resourcegenerator/networking/network_policy.go +++ b/pkg/resourcegenerator/networking/network_policy.go @@ -160,6 +160,27 @@ func getIngressRules(opts NetPolOpts) []networkingv1.NetworkPolicyIngressRule { // Allow grafana-agent to scrape if opts.IstioEnabled { + promScrapeRuleAlloy := networkingv1.NetworkPolicyIngressRule{ + From: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"kubernetes.io/metadata.name": "grafana-alloy"}, + }, + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app.kubernetes.io/instance": "alloy", + "app.kubernetes.io/name": "alloy", + }, + }, + }, + }, + Ports: []networkingv1.NetworkPolicyPort{ + { + Port: util.PointTo(util.IstioMetricsPortName), + }, + }, + } + promScrapeRule := networkingv1.NetworkPolicyIngressRule{ From: []networkingv1.NetworkPolicyPeer{ { @@ -181,7 +202,10 @@ func getIngressRules(opts NetPolOpts) []networkingv1.NetworkPolicyIngressRule { }, } + + ingressRules = append(ingressRules, promScrapeRule) + ingressRules = append(ingressRules, promScrapeRuleAlloy) } if opts.AccessPolicy == nil { diff --git a/tests/application/service-monitor/application-istio-assert.yaml b/tests/application/service-monitor/application-istio-assert.yaml index 3ea24019..63fbfc36 100644 --- a/tests/application/service-monitor/application-istio-assert.yaml +++ b/tests/application/service-monitor/application-istio-assert.yaml @@ -102,3 +102,13 @@ spec: app.kubernetes.io/name: grafana-agent ports: - port: istio-metrics + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana-alloy + podSelector: + matchLabels: + app.kubernetes.io/instance: alloy + app.kubernetes.io/name: alloy + ports: + - port: istio-metrics diff --git a/tests/application/service-monitor/application-simple-assert.yaml b/tests/application/service-monitor/application-simple-assert.yaml index 5ec69b14..565581e1 100644 --- a/tests/application/service-monitor/application-simple-assert.yaml +++ b/tests/application/service-monitor/application-simple-assert.yaml @@ -91,3 +91,13 @@ spec: app.kubernetes.io/name: grafana-agent ports: - port: istio-metrics + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana-alloy + podSelector: + matchLabels: + app.kubernetes.io/instance: alloy + app.kubernetes.io/name: alloy + ports: + - port: istio-metrics \ No newline at end of file diff --git a/tests/namespace/default-deny/assert.yaml b/tests/namespace/default-deny/assert.yaml index 61ed20f0..8bad06dd 100644 --- a/tests/namespace/default-deny/assert.yaml +++ b/tests/namespace/default-deny/assert.yaml @@ -51,3 +51,10 @@ spec: matchLabels: app.kubernetes.io/instance: grafana-agent app.kubernetes.io/name: grafana-agent + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana-alloy + podSelector: + matchLabels: + app.kubernetes.io/instance: alloy + app.kubernetes.io/name: alloy From d48210333e2590341a0b858b853f6d0cbffa6f29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A5rd=20Ove=20Hoel?= <93327610+BardOve@users.noreply.github.com> Date: Fri, 2 Aug 2024 09:15:56 +0200 Subject: [PATCH 2/2] Update assert.yaml --- tests/namespace/default-deny/assert.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/namespace/default-deny/assert.yaml b/tests/namespace/default-deny/assert.yaml index 8bad06dd..a22b9362 100644 --- a/tests/namespace/default-deny/assert.yaml +++ b/tests/namespace/default-deny/assert.yaml @@ -51,6 +51,12 @@ spec: matchLabels: app.kubernetes.io/instance: grafana-agent app.kubernetes.io/name: grafana-agent + - ports: + - port: 4317 + protocol: TCP + - port: 4318 + protocol: TCP + to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: grafana-alloy